[Spce-user] Possible Bug? - NGCP Firewall in mr6.5.3
Hohl Matthias
matthias.hohl at telematica.at
Tue Apr 2 09:20:47 EDT 2019
The config.yml settings:
security:
firewall:
enable: yes
logging:
days_kept: '7'
enable: yes
file: /var/log/firewall.log
tag: NGCPFW
nat_rules4: ~
nat_rules6: ~
policies:
forward: DROP
input: DROP
output: ACCEPT
rules4: ~
rules6: ~
BTW: also no /var/log/firewall.log file will be created…
Von: Spce-user <spce-user-bounces at lists.sipwise.com> Im Auftrag von Hohl Matthias
Gesendet: Dienstag, 2. April 2019 15:18
An: 'spce-user' <spce-user at lists.sipwise.com>
Betreff: [Spce-user] Possible Bug? - NGCP Firewall in mr6.5.3
Hello,
i configured the new NGCP Firewall in my config.yml file and apply it with ngcpcfg apply and my iptables looks like this:
root at spce:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 3139 packets, 517K bytes)
pkts bytes target prot opt in out source destination
3139 517K f2b-KAMAILIO all -- * * 0.0.0.0/0 0.0.0.0/0
3142 518K f2b-KAMAILIO all -- * * 0.0.0.0/0 0.0.0.0/0
3174 522K rtpengine all -- * * 0.0.0.0/0 0.0.0.0/0
Now I apply the iptables filter with iptables-apply. Now it looks like this:
root at spce:~# iptables -L -n -v
Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
45 10017 f2b-KAMAILIO all -- * * 0.0.0.0/0 0.0.0.0/0
49 10197 f2b-KAMAILIO all -- * * 0.0.0.0/0 0.0.0.0/0
58 31203 rtpengine udp -- * * 0.0.0.0/0 0.0.0.0/0
53 26575 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
45 9670 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
3 841 cluster all -- * * 0.0.0.0/0 0.0.0.0/0
1 761 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 /* sip_ext */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5060 /* sip_ext */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5061 /* sip_ext */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5222 /* sip_ext */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5269 /* sip_ext */
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp dpts:30000:44999 /* rtp_ext */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /* web_ext */
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1443 /* web_int */
0 0 ACCEPT tcp -- eth0 * 92.42.136.52 0.0.0.0/0 tcp dpt:22 /* ssh_ext */
2 80 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 5/min burst 10 LOG flags 0 level 7 prefix "NGCPFW[DROP]: "
So far so good BUT if I reboot the machine now, the iptables policies are removed and it looks like before I did the “iptables-apply” command.
So I have to “iptables-apply” again, to have my iptables rules installed.
The iptables settings are not reboot resistant.
I read the handbook carefully several times, but can’t find a solution for this behavior. Is this a bug?
SECOND:
It looks like that the iptables-apply just set the rules for my eth0 interface, but not for eth1… How can I enable this rules for eth1 too?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190402/3dc3bd74/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5585 bytes
Desc: not available
URL: <http://lists.sipwise.com/pipermail/spce-user_lists.sipwise.com/attachments/20190402/3dc3bd74/attachment-0001.p7s>
More information about the Spce-user
mailing list